Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack Log- Fake Visa Verification Site [CLOSED]


  • This topic is locked This topic is locked

#136
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

Also in my C:Drive I noticed 2 files today that were never there before. I noticed them because I was running out of disk space and these files are large. Can I delete this files:
hiberfil.sys - 509mb
pagefil.sys - 768mb


These files are not in a subfolder, but are in the main C:drive.


Don't worry.. those two files are legit and needed.. Don't delete them...


Need to ask you.. Do you still have the save NTLDR is compressed error when you are trying to boot into Recovery Console normally?
  • 0

Advertisements


#137
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Typo.. should be

"Do you still have the same NTLDR is compressed error when you are trying to boot into Recovery Console normally?" :) :)
  • 0

#138
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Yes - I still get the NTLDR is compressed error when I try to boot into Recovery Console normally.

One good thing is that Visa Pop-up hasn't come back.
  • 0

#139
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
And, about your hotmail password?


Ok.. Let resolve that first...


Please reboot into Recovery Console via the CD...

At C:\WINDOWS prompt type cd c:\ and press Enter

Then, at C:\ type attrib -c ntldr and press Enter..

At the prompt, type: exit and press Enter..

Then try to boot into Recovery Console normally (without CD).. if success, do the fixmbr thing in Recovery Console..

Post me a fresh mbr.txt log here..
  • 0

#140
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
I followed your steps and still can't access the recovery console without the cd.

I'm still having problems logging into hotmail via internet explorer. I have to enter my password twice. I don't have any problems if I use firefox.

Also, I sometime have the issue while I'm typing the cursor will jump to a different location on the screen.

Any thoughts?
  • 0

#141
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Let's check the status of the mbr.exe issue. I see where a simple directory change was needed, so let's do that now.


First of all, Please transfer (copy/paste) mbr.exe which is located in your Desktop to C:\ folder (not C:\WINDOWS)..



Go to Start >> Run, type [/b]cmd[/b] and press Enter. A black DOS box will appear.


At the prompt type cd\, then press Enter.


At C:\ prompt, type mbr.exe -f and then press Enter.. (be sure to place a space after "mbr.exe")


Once that has completed, repeat step above (by typing mbr.exe -f and then press Enter)


Still with the command window open click on the Icon in the top left hand corner of the Command Window and choose Edit >> Select All and then Edit >> Copy. Rightclick on your Desktop and create a text file. Open it and position your mouse inside the file, rightclick again and choose Paste. Save the file and post the contents here.

Then click on C:\mbr.exe and again allow it to do a quick scan, and post back here the contents of the new C:\mbr.log as well please..
  • 0

#142
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Sorry I didn't have computer access last night. I will work on it this evening. Thanks.
  • 0

#143
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

Sorry I didn't have computer access last night. I will work on it this evening. Thanks.



Waiting for you :)
  • 0

#144
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
I'm back. I'm working on it.
  • 0

#145
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
I copied the mbr.exe to C:

When I go to start run type [/b]cmd[/b] I get the following error message:

Windows cannot find [/b]cmd[/b]. Please make sure you typed the name correctly.....

Any thoughts?
  • 0

Advertisements


#146
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

I copied the mbr.exe to C:

When I go to start run type [/b]cmd[/b] I get the following error message:

Windows cannot find [/b]cmd[/b]. Please make sure you typed the name correctly.....

Any thoughts?



sorry decane.. my mistake :)

it should be cmd

I made a mistake with bbcode...

Please proceed with previous instruction..

Regards
fenzodahl512
  • 0

#147
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
After I typed in mbr.exe -f, I got the same message that I received previously. The only difference is that this time it appeared in the command window instead of the text file.


Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR

It seems like we keep having issues with running mbr.exe and accessing the recovery console. Also how do get rid of the malicious code info that appeared on the log the other day?
  • 0

#148
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
ok.. Sorry for being so long, and redundant.. Lets look at your NTLDR is compressed issues first... Then, lets re-do the Recovery Console and Dr.Web thingy.. and look what it can find this time..


Please copy everything inside the quote box below and paste it into Notepad. Go up to "File > Save As", click the drop-down box to change the "Save As Type" to "All Files". Save it as seekme.bat on your desktop.

(attrib C:\ntldr)>>"%USERPROFILE%\Desktop\ntldr.txt"

Double-click seekme.bat A window will open and close quickly, this is normal.

A new textfile (ntldr.txt) will be created on your Desktop.. Please post its content in your next reply..

If you do not sure how to make a batch file, please visit HERE for the tutorial.



NEXT


Please reboot into Recovery Console via cd (again..) and do the FIXMBR things.. Then just double-click the mbr.exe and post the log here (mbr.txt)..



NEXT


Lets do a re-scan with Dr.Web and then post the log here...


So, I would like to see the following logs in your next reply.

1. ntldr.txt
2. mbr.txt
3. Dr.Web..



Regards
fenzodahl512
  • 0

#149
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
A SHR C:\ntldr

I'm working on the other steps. Is Dr Web the one that does a quick scan and then a full scan? I think DR Web cure it takes about 3 hours.
  • 0

#150
decane

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x950e4c1 size 0x1e4 !
copy of MBR has been found in sector 62 !



--------------------
The same malicious code has been found. Are you sure I should run the DR Web cure it? We have a run a few times and it hasn't fixed the issue & it takes 3 hours. :)

Can you send me a link to the program that you want me to use just so I'm sure we are the same page?

Also, is there another program we should try?

Thanks again for all of your help.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP